1. Field of the Invention
The invention relates to a system and method for resetting or clearing a secured terminal in preparation for the loading of new application programs, certificates, or other files into the terminal, and in particular to a system and method which, upon receiving a request to clear or reset the terminal, creates a single-use “clear” file that can be digitally signed in order to authenticate the source of the clear or reset request.
According to the invention, the procedure for clearing or resetting the terminal begins with generation by the terminal of a random number. A dynamic clear file including the random number is then created, digitally signed, and authenticated upon loading the signed clear file into the terminal.
In an especially preferred embodiment of the invention, authentication is accomplished by signing the clear file using the private key of a public key-private key cryptosystem, authenticating the digital signature using a signer public key certificate downloaded into the terminal with the signed clear file, authenticating the signer certificate using a “clear” certificate stored in a root directory or within factory-installed firmware within the terminal, and initiating the reset operation in response to reading of a clear string stored in the file type field of the signer certificate.
Optionally, the private key used to sign the clear file may be embedded in a smart card and protected by one or more PINs, thereby permitting authentication to be carried out without compromising the private key. In that case, the signer certificate may also be stored on the smartcard and downloaded to the terminal with the signed clear file.
By providing an authenticatable clear file, the invention allows a terminal to be restored to default status by a technician in the field without having to rely on static password protection of the reset operation. In addition, since the random number included in the clear file changes with every reset operation, thereby ensuring that the clear file can only be used once, the invention prevents a replay attack resulting from copying of the signed clear file.
2. Description of Related Art
Clearing of files or certificates from a terminal and restoration of the terminal to a default status is typically required when a terminal changes ownership, in preparation for the loading of new application programs, certificates, or other files into the terminal. While a number of systems and methods have been proposed to ensure the authenticity of files loaded into the terminal, the clearing operation has conventionally relied on relatively weak static password protection methods.
The problem with use of stronger file authentication techniques to protect clearing of application programs or certificates from an existing terminal is that (i) in the conventional clearing operation, reset is carried out by invoking a “clear” command in the terminal's operating program, and therefore there are no files to be signed, and (ii) even if the clear command were required to be provided in an authenticatable file, the “clear file” would be vulnerable to copying and replay.
As a result, even where the terminal is part of a system that provides for strong authentication of any files loaded into the terminal, the process of clearing applications and/or certificates from the terminal and restoration of the terminal to a default setting, is currently carried out by either requiring return of the terminal to a secure facility, or by providing a static password and permitting the clearing operation to proceed only upon entry of the static password. Requiring the terminal to be uninstalled and returned to the secure facility for clearing is obviously inconvenient, while permitting the terminal to be cleared based on a static password carries all of the risks normally associated with static passwords, including password theft, leaving the terminal vulnerable to mischief.